# ISO 27001 vs GDPR: What Is Actually Different

Source: https://scadable.com/blog/iso27001-vs-gdpr
Published: 2026-07-12

---

**ISO 27001 and GDPR get confused constantly because both circle the word "data protection," and a company that has done real work on one often assumes it has covered the other. It has not. GDPR ([Regulation (EU) 2016/679](https://eur-lex.europa.eu/eli/reg/2016/679/oj)) is binding EU law regulating personal data. ISO 27001 is a voluntary, internationally recognized certification of a company's information security management system, covering information security broadly, not personal data specifically. A company can be fully GDPR compliant with no ISO 27001 certificate, and can hold ISO 27001 while still missing real GDPR obligations.**

The confusion is understandable. Both talk about protecting data, both expect access control and encryption, and both show up in the same enterprise security questionnaires. But they differ in legal status, in subject matter, and in who checks the work, and treating one as a stand-in for the other is the mistake we see most often.

## What is the actual difference between ISO 27001 and GDPR?

GDPR is law. It applies the moment you process the personal data of people in the EU, regardless of whether you have ever heard of it, and non-compliance carries statutory fines up to EUR 20 million or 4% of global annual turnover, whichever is higher. ISO 27001 is not law anywhere. It is a standard a company voluntarily chooses to implement, audited by an accredited third-party certification body, and the outcome is a certificate, not a legal status. See our [ISO 27001 framework page](/frameworks/iso-27001) for the full certification process.

The subject matter differs too. ISO 27001 governs information security in general, whatever your Information Security Management System scope covers: source code, credentials, trade secrets, customer data, physical access to your office. GDPR governs one specific category, personal data of EU residents, and asks a narrower but deeper set of questions about it: what you collect, why, under what lawful basis, and what rights the person it belongs to has over it.

## If I have ISO 27001, am I GDPR compliant?

No, and this is the gap companies hit most often after certifying. ISO 27001's Annex A controls, access control, encryption, incident response, cover real ground that supports GDPR's own Article 32 security-of-processing requirement. But GDPR asks for things ISO 27001 does not touch directly: a documented lawful basis for every processing activity, mechanisms for data subject rights like access and erasure, data processing agreements with every vendor that touches personal data, and breach notification to a data protection authority within 72 hours. A company can pass an ISO 27001 Stage 2 audit cleanly and still have no lawful basis documented for half of what it collects.

## If I am GDPR compliant, do I still need ISO 27001?

Not legally, no. GDPR compliance is triggered by processing personal data, not by holding any particular certification, so a company can be genuinely GDPR compliant with zero certifications on the wall. ISO 27001 becomes relevant for a separate reason: it is what international and EU enterprise buyers and public-sector tenders specifically ask for as proof of a functioning security program, in the same way US enterprise buyers ask for SOC 2. If no buyer is asking for it, GDPR compliance stands on its own.

## ISO 27001 vs GDPR at a glance

| | ISO 27001 | GDPR |
| --- | --- | --- |
| Legal form | Voluntary international standard (ISO/IEC 27001:2022), not law | Regulation (EU) 2016/679, binding EU law |
| Regulates | Information security broadly, whatever the ISMS scope covers | Personal data of people in the EU specifically |
| Who is bound | Only companies that choose to pursue certification | Any organisation processing personal data of EU residents, anywhere in the world |
| Trigger | A business decision, usually a buyer or tender requirement | Automatic, the moment you process in-scope personal data |
| Penalties | None. Failure means a failed audit or a lost certificate | Up to EUR 20 million or 4% of global annual turnover, whichever is higher |
| Core focus | Risk assessment and Annex A controls across an ongoing ISMS | Lawful basis, data subject rights, processing agreements, breach notification |

## Where do the two genuinely overlap?

On security of processing, and it is a real overlap worth using. GDPR's Article 32 requires "appropriate technical and organisational measures" to secure personal data, without specifying exactly what those measures are. ISO 27001's Annex A controls, access control, encryption, incident response, logging, are a fully documented, audited answer to that same question. A company with a working ISMS already has most of the security infrastructure Article 32 expects. That is a genuine head start, not a substitute, because GDPR's other obligations, lawful basis, data subject rights, vendor agreements, 72-hour notification, sit outside what Annex A covers and have to be built separately.

## Do the two regulators check the same things?

No. ISO 27001 is checked by an accredited certification body during Stage 1 and Stage 2 audits and annual surveillance audits, looking at whether your ISMS is documented and actually operating. GDPR is enforced by national data protection authorities, who investigate on complaints, breach reports, or their own initiative, and look at your lawful basis, your data subject request handling, and your breach response, not your Annex A Statement of Applicability. Passing one audit says nothing to the other regulator.

## Which one should I prioritise?

Start from what is actually forcing your hand. If you process the personal data of anyone in the EU, GDPR compliance is not optional and should already be in place regardless of any certification plans, our [Business Basics](/frameworks/business-basics) product covers the privacy-policy and data-processing-documentation side of that obligation. If an EU enterprise buyer or a public tender is specifically asking for ISO 27001, that is a separate, deliberate project on top of GDPR compliance, not instead of it. Companies comparing GDPR against other EU regimes entirely, rather than against a voluntary certification, may also want [GDPR vs the Cyber Resilience Act](/blog/gdpr-vs-cyber-resilience-act), which covers the product-security side of EU data and device law.

## Frequently asked questions

**Is ISO 27001 the same as GDPR?** No. ISO 27001 is a voluntary international standard for an information security management system, certified by an accredited third-party body. GDPR (Regulation (EU) 2016/679) is binding EU law governing how personal data of EU residents is collected, processed, and protected. One is a certification you choose to pursue, the other is a legal obligation triggered by processing personal data.

**If I have ISO 27001, am I GDPR compliant?** Not automatically. ISO 27001 Annex A controls, access control, encryption, incident response, cover much of what GDPR Article 32 expects for security of processing. But GDPR also requires a documented lawful basis for processing, honoring data subject rights like access and erasure, data processing agreements with vendors, and 72-hour breach notification, none of which ISO 27001 certification confirms on its own.

**If I am GDPR compliant, do I still need ISO 27001?** GDPR compliance is a legal obligation with no certification attached to it, so being GDPR compliant does not give you an ISO 27001 certificate or the audited management system behind it. If a buyer, an enterprise customer or a public tender, specifically asks for ISO 27001, GDPR compliance alone will not satisfy that ask.

**Does ISO 27001 cover personal data specifically?** Not as its primary subject. ISO 27001 governs information security broadly, whatever information the ISMS scope covers, which can include personal data but is not defined around it. GDPR is specifically about personal data of EU residents. A company can run a certified ISMS that protects trade secrets and system credentials without it saying anything about lawful basis or data subject rights.

**What is the penalty difference between the two?** GDPR carries statutory fines up to 20 million EUR or 4% of global annual turnover, whichever is higher, enforced by national data protection authorities. ISO 27001 has no penalty structure at all. Falling short of it means failing an audit or losing a certificate, not a regulatory fine.

**Does having an ISMS make GDPR compliance easier?** Yes, meaningfully. A working ISMS under ISO 27001 already produces most of the security infrastructure, access control, encryption, incident response, that GDPR Article 32 expects. It is a genuine head start on the security half of GDPR, but GDPR also demands things an ISMS does not touch: lawful basis, data subject rights, processing agreements, and breach notification.

Last reviewed: July 12, 2026.

## Where Scadable fits

Scadable builds the ISO 27001 ISMS and the Business Basics privacy documentation as connected work, not two disconnected projects, because a real information security management system materially supports GDPR's own security-of-processing requirement instead of sitting next to it unused. If you need an audited ISMS, a compliant privacy policy, or both, [book a call](https://cal.com/rahbaral/quick-chat).